Search redirect malware (ZeroAccess)

I've apparently contracted a nasty redirect virus. I brought the computer to a repair shop and left it overnight, however they said that they were unable to remove all of it and that it would likely become "reinfected".

I'm not particularly computer savvy, but I know enough to know that I shouldn't need to pay $200 to a couple of guys whom after probably 20mins of work decide that the only cure is to wipe the drive and reinstall the OS.

They ended up charging me $30 to tell me they didn't know what they were doing.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**

Please, never rename Combofix unless instructed.

Close any open browsers.

Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".

Click onthis linkto see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

NOTE1. If Combofix asks you to install Recovery Console, please allow it.NOTE 2. If Combofix asks you to update the program, always do so.

Close any open browsers.

WARNING: Combofix will disconnect your machine from the Internet as soon as it starts

Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.

If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

Double click on combofix.exe & follow the prompts.

When finished, it will produce a report for you.

Please post the "C:\ComboFix.txt"

**Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall**Note 2 for AVG users: ComboFix will not run until AVG is uninstalled as a protective measure against the anti-virus. This is because AVG "falsely" detects ComboFix (or its embedded files) as a threat and may remove them resulting in the tool not working correctly which in turn can cause "unpredictable results". Since AVG cannot be effectively disabled before running ComboFix, the author recommends you to uninstall AVG first.
Use AppRemover to uninstall it: http://www.appremover.com/
We can reinstall it when we're done with CF.**Note 3: If you receive an error "Illegal operation attempted on a registery key that has been marked for deletion", restart computer to fix the issue.

Make sure, you re-enable your security programs, when you're done with Combofix.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

NOTE.
If, for some reason, Combofix refuses to run, try one of the following:

1. Run Combofix from Safe Mode.

2. Delete Combofix file, download fresh one, but rename combofix.exe to yourname.exeBEFORE saving it to your desktop.Do NOT run it yet.

Please download and run the below tool named Rkill(courtesy of BleepingComputer.com) which may help allow other programs to run.

There are 4 different versions. If one of them won't run then download and try to run the other one.

Vista and Win7 users need to right click Rkill and choose Run as Administrator

You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

I've run both scanners. The aswMBR ran with no noticeable problems, however when I ran ComboFix I had left the room at the blue window which was going through stages and when I returned the computer was asking about a Recovery Fix. The windows were different in that they looked very windows 95/98 esque. I hit the recover button remembering that your site said if ComboFix asked to recover that I should.

Here are the logs that I've found; the ComboFix one seems rather short:

I deleted the ComboFix folder and ran it again per the instructions above and this time I stuck to the screen to see what would happen.

Once CF got through its 50 or so stages the computer restarted. Shortly after the windows logo popped up an pulsed for a bit the screen went black for a moment and then the system seemed to reset itself again.

It ran through the boot process again this time bringing up a black and white DOS screen titled Windows Error Recovery which had 2 options:
Begin Startup Recovery (Recommended) and Start Windows Normally.

I chose Start Windows Normally which repeated the above loop of failure and landed me again at the recovery screen.

I then chose Begin Startup Recovery and was bustled through a scan screen titled Startup Repair. There the window spent some time 'Searching for problems..." and then asked if I wanted to use System Restore.

I chose the affermative and after a minute of looking at a pulsing bar the system gave me another error message saying that the System Restore failed and asked if I wanted to Shut Down or Restart.

I chose Shut Down, let the thing power down for a moment, then turned the thing on again and this time it booted right up.

There was a message when the desktop loaded stating that windows had successfully recovered.

The ComboFix log is even shorter than the last one.

I went to the C:\ComboFix folder and copied the ComboFix.txt I found there:

BB ran without issue, but upon restarting the computer failed to boot into windows. Just after the windows logo, a blue screen flashed for a fraction of a second and then the system reset. I was forced to use System Restore in order to get back into windows (as in post #6).

Open Windows Explorer. Go Tools>Folder Options>View tab, put a checkmark next to Show hidden files, and folders.
Upload following files to http://www.virustotal.com/ for security check:
- C:\Windows\System32\consrv.dll
- C:\Windows\system64\consrv.dllIMPORTANT! If the file is listed as already analyzed, click on Reanalyse file now button.
Post scan results.

OK, now the part where you have to be extremely careful with what you're doing.

VERY IMPORTANT! Create new restore point!

Now, go Start and in "Start search" type in:regedit
Press Enter.

Registry editor will open.
Navigate to:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\SubSystems
In right pane you'll see a line named "Windows"
Right click on it, click "Modify".
A pop-up window will open.
In "Value data" box you'll see this:

I ran through the process once and found the same result as the last time I ran BlitzBlank. Upon closer inspection of the process I find I am unable to alter the registry. Evey time I right click/Modify, edit the code, and click OK it appears unaltered. When I open the key again it still reads as: